A core question is whether it is the data breach that should attract any regulatory penalty (if and when you identify the breach to notify) or the failure to take action to help prevent data on your customers being used to for fraud as soon as you discover that it is happening, even if you have not identified how the criminals obtained it? Should that liablity also apply to government departments and agencies, including regulators who demand that data be retained even though there is no business reason?
Once fraud has been attempted, the traditional penalties for "aiding and abetting" can be used against those who not only caused the breach but who helped the criminals exploit it. The innocent carrier defence under teh e-Commerce Directive is a double edged sword. The carrier ceases to be innocent if it fails to act on reasonable evidence of activities in breach of its own terms and conditions. Is the solution criminal law (with the burden of proof beyond reasonable doubt and all the overheads of internatioal co-ordination), civil law (using a mix of tort and contract to extract co-operation from all in the ISP supply chain lest they be liable for damages) or a mix of the two?
Hence my previous blog and belief that rabbiting on about data breach notification is just blether, compared to action on Internet addressing, e.g. cleaning up .uk, because "real" action will not happen until a series of successful US class actions for damages reveals the liabilities incurred by those domain name registrars and ISPs whose services are disproportionately used by criminals because of laxity or their verification processes (if any).
At that point we might well see the addressing vulnerabilities that facilititate criminal (and military and espionage) anonymity start to evaporate: as that which is said to be impossible or impractical suddenly becomes routine practice. That prospect is likely to fill both the cyberwarfare and civil liberties communities with horror. Hence the need for well informed and balanced debate and scrutiny, like that being organised via the Digital Policy Alliance.